diff --git a/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch b/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
new file mode 100644
index 0000000..60a6c54
--- /dev/null
+++ b/0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
@@ -0,0 +1,51 @@
+diff -up vim82/src/errors.h.cve1420 vim82/src/errors.h
+--- vim82/src/errors.h.cve1420	2022-04-25 16:01:03.559985019 +0200
++++ vim82/src/errors.h	2022-04-25 16:01:58.113332024 +0200
+@@ -383,3 +383,7 @@ EXTERN char e_cannot_use_default_values_
+ 	INIT(= N_("E1172: Cannot use default values in a lambda"));
+ EXTERN char e_resulting_text_too_long[]
+ 	INIT(= N_("E1240: Resulting text too long"));
++#ifdef FEAT_EVAL
++EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
++	INIT(= N_("E1275: String or function required for ->(expr)"));
++#endif
+diff -up vim82/src/eval.c.cve1420 vim82/src/eval.c
+--- vim82/src/eval.c.cve1420	2022-04-25 16:01:03.560985007 +0200
++++ vim82/src/eval.c	2022-04-25 16:14:11.746600369 +0200
+@@ -3718,13 +3718,20 @@ eval_lambda(
+ 	if (**arg != ')')
+ 	{
+ 	    emsg(_(e_missing_close));
+-	    ret = FAIL;
++	    return FAIL;
++	}
++	if (rettv->v_type != VAR_STRING && rettv->v_type != VAR_FUNC
++					       && rettv->v_type != VAR_PARTIAL)
++	{
++	    emsg(_(e_string_or_function_required_for_arrow_parens_expr));
++	    return FAIL;
+ 	}
+ 	++*arg;
+     }
+     if (ret != OK)
+ 	return FAIL;
+-    else if (**arg != '(')
++
++    if (**arg != '(')
+     {
+ 	if (verbose)
+ 	{
+diff -up vim82/src/testdir/test_lambda.vim.cve1420 vim82/src/testdir/test_lambda.vim
+--- vim82/src/testdir/test_lambda.vim.cve1420	2022-04-25 16:01:03.560985007 +0200
++++ vim82/src/testdir/test_lambda.vim	2022-04-25 16:17:01.694886566 +0200
+@@ -64,6 +64,10 @@ function Test_lambda_fails()
+   call assert_fails('echo {a, a -> a + a}(1, 2)', 'E853:')
+   call assert_fails('echo {a, b -> a + b)}(1, 2)', 'E451:')
+   echo assert_fails('echo 10->{a -> a + 2}', 'E107:')
++  call assert_fails('eval 0->(3)()', "E1275:")
++  call assert_fails('eval 0->([3])()', "E1275:")
++  call assert_fails('eval 0->({"a": 3})()', "E1275:")
++  call assert_fails('eval 0->(xxx)()', "E121:")
+ endfunc
+ 
+ func Test_not_lamda()
diff --git a/vim.spec b/vim.spec
index 00dbd32..84012f6 100644
--- a/vim.spec
+++ b/vim.spec
@@ -122,6 +122,8 @@ Patch3044: 0001-patch-8.2.4327-may-end-up-with-no-current-buffer.patch
 Patch3045: 0001-patch-8.2.4563-z-in-Visual-mode-may-go-beyond-the-en.patch
 # CVE-2022-1154 vim: use after free in utf_ptr2char
 Patch3046: 0001-patch-8.2.4646-using-buffer-line-after-it-has-been-f.patch
+# CVE-2022-1420 vim: Out-of-range Pointer Offset
+Patch3047: 0001-patch-8.2.4774-crash-when-using-a-number-for-lambda-.patch
 
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@@ -355,6 +357,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3044 -p1 -b .cve0554
 %patch3045 -p1 -b .cve0943
 %patch3046 -p1 -b .cve1154
+%patch3047 -p1 -b .cve1420
 
 %build
 cd src
@@ -914,6 +917,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %changelog
 * Mon Apr 25 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-17
 - CVE-2022-1154 vim: use after free in utf_ptr2char
+- CVE-2022-1420 vim: Out-of-range Pointer Offset
 
 * Mon Mar 28 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-16
 - CVE-2022-0554 vim: Use of Out-of-range Pointer Offset in vim prior